CVE-2025-59944
BaseFortify
Publication date: 2025-10-03
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anysphere | cursor | to 1.6.23 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-178 | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Cursor, a code editor for programming with AI, in versions 1.6.23 and below. It involves case-sensitive checks that fail to properly protect sensitive files like .cursor/mcp.json on case-insensitive file systems. Attackers can exploit this by using prompt injection to modify these sensitive files, which can lead to remote code execution (RCE). The issue is fixed in version 1.7.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to modify sensitive files within the Cursor IDE through prompt injection, potentially leading to full remote code execution on the affected system. This means an attacker could execute arbitrary code remotely, compromising the security and integrity of your system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Cursor IDE to version 1.7 or later, as this version fixes the case-sensitive check issue that allows prompt injection and remote code execution.